CVE-2025-38052

In the Linux kernel, the following vulnerability has been resolved: net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done Syzbot reported a slab-use-after-free with the following call trace: ==================================================================BUG: KASAN: slab-use-after-free...

CVE-2025-38065

In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len'a size_t results in truncation to 4GiB on 32-bit systems.

CVE-2025-38080

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why]It's possible to generate more than 50 steps in hwss_build_fast_sequence,for example with a 6-pipe asic where all pipes are in one MPC chain. Thisoverflows the block_sequence...

CVE-2025-38081

In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects.GPIOs can be numbered much higher than native CS.Also, it makes no sense.

CVE-2025-38094

In the Linux kernel, the following vulnerability has been resolved: net: cadence: macb: Fix a possible deadlock in macb_halt_tx. There is a situation where after THALT is set high, TGO stays high aswell. Because jiffies are never updated, as we are in a context withinterrupts disabled, we never exi...

CVE-2025-38126

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping The stmmac platform drivers that do not open-code the clk_ptp_rate valueafter having retrieved the default one from the device-tree can end upwith 0 in c...

CVE-2025-38174

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequeue a configuration request Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 T...

CVE-2025-38194

In the Linux kernel, the following vulnerability has been resolved: jffs2: check that raw node were preallocated before writing summary Syzkaller detected a kernel bug in jffs2_link_node_ref, caused by faultinjection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn'tcheck return value...

CVE-2025-38197

In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell_rbu: Fix list usage Pass the correct list head to list_for_each_entry*() when looping throughthe packet list. Without this patch, reading the packet data via sysfs will show the dataincorrectly (because it starts...

CVE-2025-38198

In the Linux kernel, the following vulnerability has been resolved: fbcon: Make sure modelist not set on unregistered console It looks like attempting to write to the "store_modes" sysfs node willrun afoul of unregistered consoles: UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon....

CVE-2025-38218

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sit_bitmap_size w/ below testcase, resize will generate a corrupted image whichcontains inconsistent metadata, so when mounting such image, itwill trigger kernel panic: touch imgtruncate -s $((512102...

CVE-2025-38219

In the Linux kernel, the following vulnerability has been resolved: f2fs: prevent kernel warning due to negative i_nlink from corrupted image WARNING: CPU: 1 PID: 9426 at fs/inode.c:417 drop_nlink+0xac/0xd0home/cc/linux/fs/inode.c:417Modules linked in:CPU: 1 UID: 0 PID: 9426 Comm: syz-executor568 N...

CVE-2025-38229

In the Linux kernel, the following vulnerability has been resolved: media: cxusb: no longer judge rbuf when the write fails syzbot reported a uninit-value in cxusb_i2c_xfer. [1] Only when the write operation of usb_bulk_msg() in dvb_usb_generic_rw()succeeds and rlen is greater than 0, the read oper...

CVE-2025-38265

In the Linux kernel, the following vulnerability has been resolved: serial: jsm: fix NPE during jsm_uart_port_init No device was set which caused serial_base_ctrl_add to crash. BUG: kernel NULL pointer dereference, address: 0000000000000050Oops: Oops: 0000 [#1] PREEMPT SMP NOPTICPU: 16 UID: 0 PID: ...

CVE-2025-38336

In the Linux kernel, the following vulnerability has been resolved: ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 The controller has a hardware bug that can hard hang the system whendoing ATAPI DMAs without any trace of what happened. Depending on thedevice attached, it can also preve...

CVE-2025-38349

In the Linux kernel, the following vulnerability has been resolved: eventpoll: don't decrement ep refcount while still holding the ep mutex Jann Horn points out that epoll is decrementing the ep refcount and thendoing a mutex_unlock(&ep->mtx); afterwards. That's very wrong, because it can lead t...

CVE-2025-38363

In the Linux kernel, the following vulnerability has been resolved: drm/tegra: Fix a possible null pointer dereference In tegra_crtc_reset(), new memory is allocated with kzalloc(), butno check is performed. Before calling __drm_atomic_helper_crtc_reset,state should be checked to prevent possible n...

CVE-2025-38391

In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmodes/displayport: do not index invalid pin_assignments A poorly implemented DisplayPort Alt Mode port partner can indicatethat its pin assignment capabilities are greater than the maximumvalue, DP_PIN_ASSIGN_F. In t...

CVE-2025-38395

In the Linux kernel, the following vulnerability has been resolved: regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. Butthe memory is allocated for only one pointer. This will lead toout-of-bounds access later in ...

CVE-2025-38396

In the Linux kernel, the following vulnerability has been resolved: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Export anon_inode_make_secure_inode() to allow KVM guest_memfd to createanonymous inodes with proper security context. This replaces the currentpattern of calli...

CVE-2025-38415

In the Linux kernel, the following vulnerability has been resolved: Squashfs: check return result of sb_min_blocksize Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug. Syzkaller forks multiple processes which after mounting the Squashfsfilesystem, issues an ioctl("/dev/loo...

CVE-2025-38437

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potential use-after-free in oplock/lease break ack If ksmbd_iov_pin_rsp return error, use-after-free can happen byaccessing opinfo->state and opinfo_put and ksmbd_fd_put couldcalled twice.

CVE-2025-38465

In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same proble...

CVE-2025-38498

In the Linux kernel, the following vulnerability has been resolved: do_change_type(): refuse to operate on unmounted/not ours mounts Ensure that propagation settings can only be changed for mounts locatedin the caller's mount namespace. This change aligns permission checkingwith the rest of mount(2...

CVE-1999-1442

Bug in AMD K6 processor on Linux 2.0.x and 2.1.x kernels allows local users to cause a denial of service (crash) via a particular sequence of instructions, possibly related to accessing addresses outside of segments.

CVE-2002-0499

The d_path function in Linux kernel 2.2.20 and earlier, and 2.4.18 and earlier, truncates long pathnames without generating an error, which could allow local users to force programs to perform inappropriate operations on the wrong directories.

CVE-2002-0570

The encrypted loop device in Linux kernel 2.4.10 and earlier does not authenticate the entity that is encrypting data, which allows local users to modify encrypted data without knowing the key.

CVE-2004-0228

Integer signedness error in the cpufreq proc handler (cpufreq_procctl) in Linux kernel 2.6 allows local users to gain privileges.

CVE-2004-0596

The Equalizer Load-balancer for serial network interfaces (eql.c) in Linux kernel 2.6.x up to 2.6.7 allows local users to cause a denial of service via a non-existent device name that triggers a null dereference.

CVE-2004-2136

dm-crypt on Linux kernel 2.6.x, when used on certain file systems with a block size 1024 or greater, has certain "IV computation" weaknesses that allow watermarked files to be detected without decryption.

CVE-2005-0207

Unknown vulnerability in Linux kernel 2.4.x, 2.5.x, and 2.6.x allows NFS clients to cause a denial of service via O_DIRECT.

CVE-2005-1368

The key_user_lookup function in security/keys/key.c in Linux kernel 2.6.10 to 2.6.11.8 may allow attackers to cause a denial of service (oops) via SMP.

CVE-2005-3527

Race condition in do_coredump in signal.c in Linux kernel 2.6 allows local users to cause a denial of service by triggering a core dump in one thread while another thread has a pending SIGSTOP.

CVE-2008-3247

The LDT implementation in the Linux kernel 2.6.25.x before 2.6.25.11 on x86_64 platforms uses an incorrect size for ldt_desc, which allows local users to cause a denial of service (system crash) or possibly gain privileges via unspecified vectors.

CVE-2009-2584

Off-by-one error in the options_write function in drivers/misc/sgi-gru/gruprocfs.c in the SGI GRU driver in the Linux kernel 2.6.30.2 and earlier on ia64 and x86 platforms might allow local users to overwrite arbitrary memory locations and gain privileges via a crafted count argument, which trigger...

CVE-2009-3234

Buffer overflow in the perf_copy_attr function in kernel/perf_counter.c in the Linux kernel 2.6.31-rc1 allows local users to cause a denial of service (crash) and execute arbitrary code via a "big size data" to the perf_counter_open system call.

CVE-2009-3280

Integer signedness error in the find_ie function in net/wireless/scan.c in the cfg80211 subsystem in the Linux kernel before 2.6.31.1-rc1 allows remote attackers to cause a denial of service (soft lockup) via malformed packets.

CVE-2011-2906

Integer signedness error in the pmcraid_ioctl_passthrough function in drivers/scsi/pmcraid.c in the Linux kernel before 3.1 might allow local users to cause a denial of service (memory consumption or memory corruption) via a negative size value in an ioctl call. NOTE: this may be a vulnerability on...

CVE-2016-8391

An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.1...

CVE-2016-8419

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.1...

CVE-2016-8425

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the ope...

CVE-2016-8454

An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.1...

CVE-2017-0438

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.1...

CVE-2017-0451

An information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kern...

CVE-2017-0458

An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3....

CVE-2017-0460

An elevation of privilege vulnerability in the Qualcomm networking driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kerne...

CVE-2017-0528

An elevation of privilege vulnerability in the kernel security subsystem could enable a local malicious application to to execute code in the context of a privileged process. This issue is rated as High because it is a general bypass for a kernel level defense in depth or exploit mitigation technol...

CVE-2017-0624

An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions...

CVE-2017-8065

crypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual p...

CVE-2022-48819

In the Linux kernel, the following vulnerability has been resolved: tcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case syzbot found that mixing sendpage() and sendmsg(MSG_ZEROCOPY)calls over the same TCP socket would again trigger theinfamous warning in inet_sock_destruct() WARN_ON(sk_forw...